|
5 | 5 | author: kgremban |
6 | 6 | ms.service: azure-iot-hub |
7 | 7 | ms.topic: conceptual |
8 | | - ms.date: 11/15/2024 |
| 8 | + ms.date: 1/7/2025 |
9 | 9 | ms.author: kgremban |
10 | 10 | --- |
11 | 11 |
|
@@ -45,37 +45,34 @@ For links to download these certificates, see [Azure Certificate Authority detai |
45 | 45 | Root CA migrations are extremely rare, you should always prepare your IoT solution for the unlikely event that a root CA is compromised and an emergency root CA migration is necessary. |
46 | 46 |
|
47 | 47 | ## Cipher Suites |
48 | | -To comply with Azure security policy for a secure connection, IoT Hub supports the following cipher suites: |
49 | | - |
50 | | -| Cipher Suites | Description | |
51 | | -|-------------------------------------------|------------------------------| |
52 | | -| `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` | TLS 1.2, 1.3 RSA cipher suites | |
53 | | -| `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` | TLS 1.2, 1.3 RSA cipher suites | |
54 | | -| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` | TLS 1.2, 1.3 RSA cipher suites | |
55 | | -| `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384` | TLS 1.2, 1.3 RSA cipher suites | |
56 | | -| `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` | TLS 1.2, 1.3 ECDSA cipher suites | |
57 | | -| `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` | TLS 1.2, 1.3 ECDSA cipher suites | |
58 | | -| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256` | TLS 1.2, 1.3 ECDSA cipher suites | |
59 | | -| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384` | TLS 1.2, 1.3 ECDSA cipher suites | |
60 | | - |
61 | | -The following cipher suites are weak and no longer recommended, and these cipher suites will be retired in accordance with the Azure TLS end of support. |
62 | | - |
63 | | -| Cipher Suites | TLS Version | |
| 48 | +To comply with Azure security policy for a secure connection, IoT Hub supports the following RSA and ECDSA cipher suites for TLS 1.2: |
| 49 | + * `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` |
| 50 | + * `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` |
| 51 | + * `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256` |
| 52 | + * `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384` |
| 53 | + * `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` |
| 54 | + * `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` |
| 55 | + * `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` |
| 56 | + * `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384` |
| 57 | + |
| 58 | +The following cipher suites are currently allowed in IoT Hub, however these cipher suites are no longer recommended by the Azure security guidelines. |
| 59 | + |
| 60 | +| Cipher Suites | TLS Version support | |
64 | 61 | |---------------------------------------|------------------------------------| |
65 | | -| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | TLS 1.2 Weak Cipher Suites | |
66 | | -| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | TLS 1.2 Weak Cipher Suites | |
67 | | -| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | TLS 1.2 Weak Cipher Suites | |
68 | | -| TLS_RSA_WITH_AES_256_GCM_SHA384 | TLS 1.2 Weak Cipher Suites | |
69 | | -| TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS 1.2 Weak Cipher Suites | |
70 | | -| TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS 1.2 Weak Cipher Suites | |
71 | | -| TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS 1.2 Weak Cipher Suites | |
72 | | -| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS 1.0/1.1/1.2 Weak Cipher Suites | |
73 | | -| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS 1.0/1.1/1.2 Weak Cipher Suites | |
74 | | -| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS 1.0/1.1/1.2 Weak Cipher Suites | |
75 | | -| TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS 1.0/1.1/1.2 Weak Cipher Suites | |
76 | | -| TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS 1.0/1.1/1.2 Weak Cipher Suites | |
77 | | -| TLS_RSA_WITH_AES_128_CBC_SHA | TLS 1.0/1.1/1.2 Weak Cipher Suites | |
78 | | -| TLS_RSA_WITH_AES_256_CBC_SHA | TLS 1.0/1.1/1.2 Weak Cipher Suites | |
| 62 | +| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | TLS 1.2 | |
| 63 | +| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | TLS 1.2 | |
| 64 | +| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | TLS 1.2 | |
| 65 | +| TLS_RSA_WITH_AES_256_GCM_SHA384 | TLS 1.2 | |
| 66 | +| TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS 1.2 | |
| 67 | +| TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS 1.2 | |
| 68 | +| TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS 1.2 | |
| 69 | +| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS 1.0/1.1/1.2| |
| 70 | +| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS 1.0/1.1/1.2| |
| 71 | +| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS 1.0/1.1/1.2| |
| 72 | +| TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS 1.0/1.1/1.2| |
| 73 | +| TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS 1.0/1.1/1.2| |
| 74 | +| TLS_RSA_WITH_AES_128_CBC_SHA | TLS 1.0/1.1/1.2| |
| 75 | +| TLS_RSA_WITH_AES_256_CBC_SHA | TLS 1.0/1.1/1.2| |
79 | 76 |
|
80 | 77 | A client can suggest a list of higher cipher suites to use during `ClientHello`. However, some of them might not be supported by IoT Hub (for example, `ECDHE-ECDSA-AES256-GCM-SHA384`). In this case, IoT Hub will try to follow the preference of the client, but eventually negotiate down the cipher suite with `ServerHello`. |
81 | 78 |
|
|
0 commit comments